Windows AD and MIT KDC Cross-Realm Trust
Douglas E. Engert
deengert at anl.gov
Mon Feb 16 19:56:52 EST 2004
Digant Kasundra wrote:
>
> > That is the only way to do it. There is no term called
> > "pass-through" authentication within Kerberos. The
> > authentication between the MIT and Microsoft realms are based
> > on cross-realm trusts. This is exactly what is described on the page:
>
> I guess I am using the phrase "pass-through" authentication as it is
> referenced below:
>
> http://acd.ucar.edu/~fredrick/linux/kerberos/testbed.html
>
> (e.g. a workstation on a domain authning against Krb and authzing against AD
> as opposed to a standalone workstation doing the same thing).
>
> Sorry for my misunderstandings.
>
> That being the case, when a user tries to login using bwinkle at kerb.uta.edu,
> I do see a request hit the KDC but the user still does not get logged in.
> According to the logs, I see an AS_REQ "bwinkle at KERB.UTA.EDU for
> krbtgt/KERB.UTA.EDU at KERB.UTA.EDU".
Yes that is the first step.
This would then be used by the workstation to get a ticket for the workstation
if the workstation is in the same realm as the user. If not this would be used
to get a krbtgt.
> In my principles on the KDC machine
> (montyburns), I have bwinkle at KERB.UTA.EDU, krbtgt/KERB.UTA.EDU at KERB.UTA.EDU,
> krbtgt/KERB.UTA.EDU at UTA.EDU and krbtgt/UTA.EDU at KERB.UTA.EDU (as well as the
> kadmin ones that are created at install).
>
> What else should I look at?
Is the workstation part of a domain?
What does ksetup on the workstion show?
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list